The U.S. Department of Justice announced on January 27, 2020 that Practice Fusion, a health information technology (IT) vendor, has entered into a civil settlement and deferred prosecution agreement (DPA) worth $145 million that resolves civil investigations led by the U.S. Attorney’s Office for the District of Vermont, the U.S. Attorney’s Office for the Northern District of California, and the Civil Division’s Commercial Litigation Branch of main justice, as well as a criminal investigation led by the U.S. Attorney’s Office for the District of Vermont (collectively, the “Government”). The agreement is yet another in a series of civil False Claims Act and Anti-Kickback Statute enforcement actions involving EHR vendors. However, the criminal kickback allegations against Practice Fusion notably focus on the financial relationships between EHR vendors and pharmaceutical manufacturers rather than those with providers, and demonstrate the Government’s view of how those relationships could potentially impact a provider’s clinical decision making. The DPA and new focus on clinical decision support (CDS) alerts within EHR software products should put vendors, manufacturers, and providers alike on notice of the potential consequences if faced with aggressive enforcement in this developing area of health information technology, and the need to take proactive steps to ensure that financial arrangements involving the development of EHR capabilities reflect practices compliant with health care fraud and abuse laws.
According to the DPA and DOJ’s press release, Practice Fusion admitted that it solicited and received payments from a “major opioid company” in relation to the design of CDS alerts that were presented through Practice Fusion’s EHR to doctors who prescribe pain medication to patients. One of the key factors cited by DOJ in prosecuting Practice Fusion was the alleged role of the opioid company’s marketing department in the development of the CDS alerts and in the overall commercial as opposed to clinical nature of the arrangement as indicated by its focus on success “metrics, switches from [instant release] to [extended release], etc.”1
The CDS alerts at issue related to pain management tools for physicians and other health care providers, and encouraged health care providers to record pain scores and to follow up with a care plan for the patient if “the patient reported pain on the pain scale of four or higher twice within four months . . . .”2 When a care plan was recommended, the CDS alert populated a menu which included various treatment options, including biofeedback, education, nonopioid analgesics, physical therapy, and opioid therapy in the form of short-acting or long-acting/extended release opioids.3 But the Government took issue with the treatment options included in the menu and asserted that the treatment menu “deviated from medical guidelines,” including those promulgated by the CDC. 4 The Government also discounted the inclusion of research studies that Practice Fusion and the pharmaceutical companies did reference in developing the guidelines, and then charged that the CDS alerts were medically unsupported, relying on studies that were more favorable to its allegations.
Pursuant to the DPA, Practice Fusion will pay $25,398,300 in criminal fines and forfeit $959,700 in proceeds. Practice Fusion also agreed to pay an additional $118,642,000 to resolve allegations of civil liability under the False Claims Act “arising from the submission of false claims to federal health care programs tainted by the kickback arrangement between Practice Fusion and the opioid company”5 as well as kickback allegations related to thirteen CDS arrangements with other pharmaceutical companies, which were not detailed in the documents made available to the public. The civil settlement also resolved allegations that Practice Fusion had falsely obtained certification for its 2014 Edition EHR product under the certification program administered by the Office of the National Coordinator for Health Information Technology. On that basis, the Government concluded that Practice Fusion had knowingly caused health care providers who used certain versions of its EHR software to submit false claims to Medicare under the EHR Incentive Program when they attested that they were using Certified EHR Technology (CEHRT). In contrast to the criminal charges detailed in the DPA requiring Practice Fusion to enter into a statement of facts admitting to much of the alleged wrongful actions, the civil settlement agreement did not include any additional determination or admission of liability.
The DPA also imposes non-monetary obligations on Practice Fusion, including cooperation with ongoing investigations into other kickback schemes.6 Practice Fusion must also maintain a public website that hosts the documents related to the conduct outlined in the DPA;7 ensure compliance with data export functionality standards required for EHR certification, 2015 Edition, under the ONC Certification Program; review policies and procedures and, if necessary, implement enhanced policies and procedures to ensure patient safety; retain all versions of its code used or relied upon for testing, certification, or surveillance related to any governmental programs; and maintain a comprehensive list of software bugs on its customer portal.8 Compliance will be monitored by an independent oversight organization, and this entity is required to review all future sponsored CDS alerts before they are implemented.
The Practice Fusion settlement is novel and noteworthy for EHR vendors and health IT developers, insofar as the Government has ventured into the waters of clinical practice and decision making by scrutinizing the development and clinical application of the CDS alerts embedded in Practice Fusion’s EHR. In past enforcement actions, the Government focused mainly on technical deficiencies within EHR systems related to EHR Incentive Program certification requirements. The criminal case appears to have hinged on the pharmaceutical manufacturer’s involvement in the development and marketing of the CDS alert utilized by physicians and providers – from a commercial perspective –and with a goal of increasing prescriptions. In this regard, the Government alleged that the “proof” of the primarily commercial rather than legitimately clinical nature of the arrangement was the fact that the CDS was not consistent with CDC guidelines and applicable clinical quality measures, and that the manufacturer’s marketing department was involved. With the Practice Fusion settlement, the Government has moved beyond False Claims Act and Anti-Kickback Statute allegations premised on misrepresentations that EHR software are compliant with CEHRT standards. Now the Government is delving into whether specific elements and functionalities within the EHR create risks of overutilizing or misusing drugs, which they perceive as generating fraud and abuse to federal health care programs.
In the wake of the Practice Fusion settlement and its implications, EHR vendors and health IT developers should consider the following when entering into arrangements related to the development of EHR functionalities like CDS and in evaluating existing arrangements:
- Clearly defining the role that marketing personnel, internally or externally, may have, if any, in the development of EHR functions that involve clinical inputs and generate recommendations to providers who prescribe medications or provide services covered by federal health care programs.
- Requiring that any performance measurement of EHR functions not rely on metrics related to the commercial success of the product or course of treatment selected by a clinician.
- Implementing independent review processes, including clinical and legal review, as part of due diligence, to evaluate the CDS or similar tool and the research being used to support the information being presented to providers within the EHR.
Health IT and EHR vendors that have identified financial relationships related to sponsored CDS or other functionalities should immediately reach out to their outside counsel to evaluate these arrangements and determine whether self-disclosure pathways through the HHS Office of the Inspector General's Self-Disclosure Protocol or a local U.S. Attorney’s Office are warranted to mitigate potential enforcement risk under the Anti-Kickback Statute and the FCA.